Cybercriminals have added a method to exploit a recently patched vulnerability that existed since Windows 95, to a widely used exploit kit. The affected vulnerability is CVE-2014-6332 which was patched on November 11th by Microsoft. The vulnerability existed in Internet Explorer 3.0 on Windows 95 but also IE 11 on the Windows 10 Technical Preview was still vulnerable. An attacker is able to get full control over the infected system when the exploit is successfully used.
The vulnerability in Windows Object Linking and Embedding (OLE) was caused by the way IE uses memory objects. Researchers of IBM discovered the problem in May this year and warned Microsoft who patched the vulnerability this month. Further research revealed the vulnerable code already existed in Windows 95 which could be remotely attacked through IE 3.0
Last week security company ESET reported that it had found an exploit for the vulnerability on a popular Bulgarian website. Security researcher Kafeine from the "Malware Don't Need Coffee" blog reports that the exploit now also has been added to the Sweet Orange exploit kit.
Availability in an exploit kit means the leak can be abused on large scale through hacked and malicious websites and e.g. infected advertisements. Windows users who installed the November updates are no longer vulnerable, users who haven't installed the update yet are advised to do so as fast as possible.
